Many Fund Firms Still Not Ready For Disaster
January 27, 2003
BOSTON - "The world has changed," said Laurie Bailey, consulting manager at SunGard Planning Solutions, addressing the audience at the National Investment Company Service Association's panel on business continuity and recovery planning at its East Coast regional meeting in Boston earlier this month.
While it is simply stated, it couldn't be more accurate for the world of corporate disaster recovery. Everything has changed, and a large number of companies are not prepared for it.
As illustrated by the after-effects of Sept. 11, many companies were not prepared for such unimaginable events then, and nearly a year and a half later, many are still not fully prepared, at least that was the consensus among the approximately 250 in attendance at the conference.
Repeatedly, the panelists asked the audience, by a show of hands, if their companies had certain disaster recovery procedures or equipment in place, and most of the attendees sat on their hands. A mere two individuals in a fully packed conference hall responded affirmatively to most of the queries.
"There are a lot of companies that are still struggling with this issue," Bailey later said in an interview for Mutual Fund Market News.
"It's very complicated and it's costly. They really need to find that balance between cost versus risk." One pitfall, Bailey said, is that many companies currently have their energies focused elsewhere, such as dealing with drastic staff reductions and the sluggish economy.
When many companies are prioritizing, she said, continuity and disaster recovery planning sometimes get lost in the shuffle. "It's [considered] an optional expense instead of being integrated into their process," she said.
And if the possible terror scenarios aren't enough of a wake-up call, the panel presented some scary numbers that illustrate just how vulnerable the U.S. financial industry is. Eighty-one percent of U.S. CEOs acknowledge that their existing crisis-management plans were inadequate to handle the number of issues stemming from the attacks in 2001, according to a 2002 CSI/FBI computer crimes and security survey that Bailey cited.
Although 63% have readdressed their plans since that time, the consensus at the meeting is that many are still unprepared.
Scarier still is the fact that 85% of critical infrastructure in the U.S. is in private hands, Bailey said, citing a FBI InfraGard Chapter Presentation at Philadelphia, Drexel University last December. And further still, 86% of computer crimes originate inside the network, according to a 2000 CSI/FBI computer crimes and security survey. "One attack can affect thousands of computers," Bailey said. "It's very debilitating and costs a great deal of money to recreate data."
"Its no longer okay for us to plan for events you or your co-workers have experienced," said Susan Lilly, assistant vice president, business management group, CDC IXIS Asset Management Services, speaking at the conference. Prior to 9/11, the major crises consisted of weather-related or natural-disaster incidents, power outages, fire, PBX failures and local exchange carrier outages.
Now the realization is that terrorism, sabotage, city or region-wide incidents or even carrier bankruptcy are all factors that have to be considered.
"People need to think outside of the box when it comes to business continuity planning. It's not your traditional planning what if my data center goes down?' It's looking at other potential risks," Bailey said. "There are things outside of just infrastructure and firewalls."
"You can't just plan on your own disaster," said James Hillman of The Bank of New York, one of the two audience members who said his company's plans are up to snuff. Hillman also said companies need to think of every aspect of moving its staff to a backup site, even temporarily. He said that the BONY incurred a bill of around $34,000 just for food for the staff in the first week of a relocation to a backup site.
"It's really being sensitive to where you are and who your neighbors are," said Bailey, noting that if a company is housed in the same building as certain government agencies or potential targets, the risk factor goes way up. She said it's about identifying potential economic targets, key infrastructure to the country, American icons - and steering clear of them in order to minimize risk.
Deborah Rothe, vice president, Business Recovery Services and Telecommunications BISYS Fund Services, said that companies located abroad are not any better prepared than those here and they have a host of other factors to consider, too. "Most European operations are in the same shape as the companies over here," she said. "Do they have contingency plans? Kinda, sorta."